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Abstract 

The operational semantics of a partial, functional language is often 
given as a relation rather than as a function. The latter approach 
is arguably more natural: if the language is functional, why not 
take advantage of this when defining the semantics? One can im- 
mediately see that a functional semantics is deterministic and, in a 
constructive setting, computable. 

This paper shows how one can use the coinductive partiality 
monad to define big-step or small-step operational semantics for 
lambda-calculi and virtual machines as total, computable functions 
(total definitional interpreters). To demonstrate that the resulting se- 
mantics are useful type soundness and compiler correctness results 
are also proved. The results have been implemented and checked 
using Agda, a dependently typed programming language and proof 
assistant. 

Categories and Subject Descriptors F.3.2 [Logics and Mean- 
ings of Programs]'. Semantics of Programming Languages — Oper- 
ational semantics; D.1.1 [Programming Techniques ]: Applicative 
(Functional) Programming; E.l [Data Structures]', F.3.1 [Logics 
and Meanings of Programs ] : Specifying and Verifying and Reason- 
ing about Programs — Mechanical verification 

Keywords Dependent types; mixed induction and coinduction; 
partiality monad 

1. Introduction 

Consider the untyped 2-calculus with a countably infinite set of 
constants c : 

t ::= c | x | Xx.t \ t\ t 2 

Closed terms written in this language can compute to a value (a 
constant c or a closure Xx.tp), but they can also go wrong (crash) 
or fail to terminate. 

How would you write down an operational semantics for this 
language? A common choice is to define the semantics as an induc- 
tively defined relation, either using small steps or big steps. For an 
example of the latter, see Figure 1 : p t |j. v means that the term 
t can terminate with the value v when evaluated in the environment 
p. However, as noted by Leroy and Grail (2009), this definition 
provides no way to distinguish terms which go wrong from terms 
which fail to terminate. If we want to do this, then we can define 
two more relations, see Figure 2: p \- t ff, defined coinductively. 
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Figure 1. A call-by-value operational semantics for the untyped X- 
calculus with constants, specifying which terms can terminate with 
what values (very close to a semantics given by Leroy and Grail 
(2009)). 
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Figure 2. Two more operational semantics for the untyped X- 
calculus with constants, specifying which terms can fail to termi- 
nate or go wrong. The definition written using double lines is coin- 
ductive, and is taken almost verbatim from Leroy and Grail (2009). 


means that the term t can fail to terminate when evaluated in the 
environment p\ and p \- t £ means that t goes wrong. 

Now we have a complete definition. However, this definition is 
somewhat problematic: 

1. There are four separate rules which refer to application. For a 
small language this may be acceptable, but for large languages 
it seems to be easy to forget some rule, and “rule duplication” 
can be error-prone. 

2. It is not immediately obvious whether the semantics is deter- 
ministic and/or computable: these properties need to be proved. 

3. If we want to define an interpreter which is correct by construc- 
tion, then the setup with three relations is awkward. Consider 
the following type-signature, where _l±J_ is the sum type con- 
structor: 

eval : V p t — > (3v. p I— t JJ v) l±J p t ff l±J p I— t £ 

This signature states that, for any environment p and term t, the 
interpreter either returns a value v and a proof that t can termi- 
nate with this value when evaluated in the given environment; 
or a proof that t can fail to terminate; or a proof that t goes 
wrong. It should be clear that it is impossible to implement eval 



in a total, constructive language, as this amounts to solving the 
halting problem. 

The situation may have been a bit less problematic if we had 
defined a small-step semantics instead, but small-step semantics are 
not necessarily better: Leroy and Grail (2009) claim that “big-step 
semantics is more convenient than small-step semantics for some 
applications’", including proving that a compiler is correct. 

I suggest another approach: define the semantics as a function in 
a total meta-language, using the partiality monad (Capretta 2005) 
to represent non-termination, where the partiality monad is defined 
coinductively as Ay = vX. A l±l X. If this approach is followed 
then we avoid all the problems above: 

1 . We have one clause for applications, and the meta-language is 
total, so we cannot forget a clause. 

2. The semantics is a total function, and hence deterministic and 
computable. 

3. The semantics is an interpreter, and its type signature does not 
imply that we solve the halting problem: 

[_] : Term — > Environment — > ( Maybe Value) ± 

An additional advantage of using a definitional interpreter is that 
this can make it easy to test the semantics (if the interpreter is not 
too inefficient). Such tests can be useful in the design of non-trivial 
languages (Aydemir et al. 2005). 

The main technical contribution of this paper is that I show 
that one can prove typical meta-theoretical properties directly for 
a semantics defined using the partiality monad: 

• A big-step, functional semantics is defined and proved to be 
classically equivalent to the relational semantics above (Sec- 
tions 3 and 5; for simplicity well-scoped de Bruijn indices are 
used instead of names). 

• Type soundness is proved for a simple type system with recur- 
sive types (Section 4). 

• The meaning of a virtual machine is defined as a small-step, 
functional semantics (Section 6). 

• A compiler correctness result is proved (Section 7). 

• The language and the type soundness and compiler correct- 
ness results are extended to a non-deterministic setting in or- 
der to illustrate that the approach can handle languages where 
some details — like evaluation order — are left up to the compiler 
writer (Section 8). 

• Finally Section 9 contains a brief discussion of term equiva- 
lences (applicative bisimilarity and contextual equivalence). 

As far as I know these are the first proofs of type soundness or 
compiler correctness for operational semantics defined using the 
partiality monad. The big-step semantics avoids the rule duplica- 
tion mentioned above, and this is reflected in the proofs: there is 
only one case for application, as opposed to four cases in some cor- 
responding proofs for relational semantics due to Leroy and Grail 
(2009). Related work is discussed further in Section 1.3. 

1.1 Operational? 

At this point some readers may complain that [[_] does not define 
an operational semantics, but rather a denotational one. Perhaps 
a better term would be “hybrid operational/denotational”, but the 
semantics is not denotational: 

• It is not defined in a compositional way: [[ t ] is not defined 
by recursion on the structure of t, but rather a combination of 
corecursion and structural recursion (see Section 3). 


• Furthermore the “semantic domain” is rather syntactic: it in- 
cludes closures, and is not defined as the solution to a domain 
equation. 

I do not see this kind of semantics as an alternative to denotational 
semantics, but rather as an alternative to usual operational ones. 
(See also the discussion of term equivalences in Section 9.) 

1.2 Mechanisation 

The development presented below has been formalised in the de- 
pendently typed, functional language Agda (Norell 2007; Agda 
Team 2012), and the code has been made available to download. 

In order to give a clear picture of how the results can be mech- 
anised Agda-like code is also used in the paper. Unfortunately 
Agda’s support for total corecursion is somewhat limited, 1 so to 
avoid distracting details the code is written in an imaginary vari- 
ant of Agda with a very clever productivity checker (and some 
other smaller changes). The accompanying code is written in actual 
Agda, sometimes using workarounds (Danielsson 2010) to con- 
vince Agda that the code is productive. There are also other, minor 
differences between the accompanying code and the code in the 
paper. 

1.3 Related Work 

Reynolds (1972) discusses definitional interpreters, and there is 
a large body of work on using monads to structure semantics 
and interpreters, going back at least to Moggi (1991) and Wadler 
(1992). 

The toy language above is taken front Leroy and Grail (2009), 
who bring up some of the disadvantages of (inductive) big-step 
semantics mentioned above. The type system in Section 4 is also 
taken from Leroy and Grail, who discuss various formulations of 
type soundness (but not the main formulations given below). Fi- 
nally the virtual machine and compiler defined in Sections 6-7 are 
also taken from Leroy and Grail, who give a compiler correctness 
proof. 

Leroy and Grail also define a semantics based on approxima- 
tions: First the semantics is defined (functionally) at “recursion 
depth” n; if n = 0, then the result _L is returned. This function 
is similar to the functional semantics [_] defined in Section 3, but 
defined using recursion on n instead of corecursion and the partial- 
ity monad. The semantics of a term t is then defined (relationally) 
to be 5 if there is a recursion depth no such that the semantics at 
recursion depth n is s for all n hq. Leroy and Grail prove that 
this semantics is equivalent to a relational, big-step semantics. This 
proof is close to the proof in Section 5 which shows that [[_] is 
equivalent to a relational, big-step semantics. 

Further comparisons to the work of Leroy and Grail is included 
below. 

The type soundness proof in Section 4 is close to proofs given 
by Tofte (1990) and Milner and Tofte (1991). They use ordinary, 
inductive big-step definitions to give semantics of languages with 
cyclic closures, define typing relations for values coinductively (as 
greatest fixpoints of monotone operators F), and use coinduction 
(. x e vF if x e X for some X C F(X)) to prove that certain 
values have certain types. In this paper the value typing relation 
is defined inductively rather than coinductively. However, another 
typing relation, that for possibly non-terminating computations, is 
defined coinductively, and the proof still uses coinduction (which 
takes the form of corecursion, see Section 2). 

Capretta (2005) discusses the partiality monad, and gives a se- 
mantics for partial recursive functions (primitive recursive func- 
tions plus minimisation) as a function of type V n. (N" — *■ N) — > 

(N± n _» Nj.). 

1 The same applies to Coq (Coq Development Team 2011). 



Nakata and Uustalu (2009) define coinductive big-step and 
small-step semantics, in both relational and functional style, for 
a while language. Their definitions do not use the partiality monad, 
but are trace-based, and have the property that the trace can be com- 
puted (productively) for any source term, converging or diverging. 
My opinion is that the relational big-step definition is rather tech- 
nical and brittle; the authors discuss several modifications to the 
design which lead to absurd results, like while true do skip having 
an arbitrary trace. The functional big-step semantics avoids these 
issues, because the semantics is required to be a productive func- 
tion from a term and an initial state to a trace. Nakata and Uustalu 
have extended their work to a while language with interactive in- 
put/output (2010), but in this work they use relational definitions. 

Paulin-Mohring (2009) defines partial streams using (essen- 
tially) the partiality monad, shows that partial streams form a 
pointed CPO, and uses this CPO to define a functional semantics 
for (a minor variation of) Kahn networks. 

Benton et al. (2009) use the partiality monad to construct a lift- 
ing operator for CPOs, and use this operator to give denotational 
semantics for one typed and one untyped 2-calculus; the former 
semantics is crash-free by construction, the latter uses A. to repre- 
sent crashes. Benton and Hur (2009) define a compiler from one 
of these languages to a variant of the SECD machine (with a rela- 
tional, small-step semantics), and prove compiler correctness. 

Ghani and Uustalu (2004) introduce the partiality monad trans- 
former, AM A. vX. M (A l±J A). (In the setting of Agda M should 
be restricted to be strictly positive.) 

Goncharov and Schroder (2011) use the partiality monad trans- 
former (they use the term resumption monad transformer ) to give a 
class of functional semantics for a concurrent language. 

Rutten (1999) defines an operational semantics for a while lan- 
guage corecursively as a function, using a “non-constructive” vari- 
ant of the partiality monad, Aj_ = (A x N) l±l (oo) (where oo 
represents non-termination and the natural number stands for the 
number of computation steps needed to compute the value of type 
A). With this variant of the monad the semantics is not a computable 
function, because the semantics returns oo iff a program fails to ter- 
minate. Rutten also discusses weak bisimilarity and explains how 
to construct a compositional semantics from the operational one. 

Cousot and Cousot (1992, 2009) describe bi-inductive defi- 
nitions, which generalise inductive and coinductive definitions, 
and give a number of examples of their use. One of their ex- 
amples is a big-step semantics for a call-by-value 2-calculus. 
This semantics captures both terminating and non-terminating be- 
haviours in a single definition, with less “duplication” of rules 
than in Figures 1-2, but more than in Section 3. An operator F on 
p(Term x ( Term U (T))), where Term stands for the set of terms 
and _L stands for non-termination, is first defined by the following 
inference rules (where v ranges over values): 

tj=>_L / 1 > r h => -L 

v => v 

t\ ?2 => -L t{ t2 => -L 

t\ => Ax.t ti => v t[x := v ] => r 
/ ] ti => r 

These rules should neither be read inductively nor coinductively. 
The semantics is instead obtained as the least fixpoint of F with 
respect to the order _C_ defined by 

XQY = A+ C T+ a X~ 2 Y~ , 

where Z + = { (t, s) e Z \ s ^ 1 ) and Z~ = Z \ Z + . F is not 
monotone with respect to _C_ (which forms a complete lattice), so 
Cousot and Cousot give an explicit proof of the existence of a least 
fixpoint (for a closely related semantics). 


2. The Partiality Monad 

Agda is a total language (assuming that the implementation is bug- 
free, etc.). Ordinary data types are inductive. For instance, we can 
define the type Fin n of natural numbers less than n, and the type 
Vec A n of A-lists of length n, as follows: 

data Fin : N — > Set where 

zero : [n : N) — > Fin (1 + n) 

sue : [n : N) — > Fin n —> Fin (1 + n ) 
data Vec (A : Set ) : Pi — > Set where 

[] : Vec A 0 

: [n : N) — > A — > Vec A n — > Vec A (1 + n) 

(Cons is an infix operator, :: ; the underscores mark the argument 
positions.) Inductive types can be destructed using structural recur- 
sion. As an example we can define a safe lookup/indexing function: 

lookup : {A : Set} [n : N) — > Fin n — > Vec A n — » A 

lookup zero (y :: xs) = x 

lookup (sue i) (y :: xs) = lookup i xs 

The arguments within braces, {. . .), are implicit, and can be omitted 
if Agda can infer them. To avoid clutter most implicit argument 
declarations are omitted, together with a few explicit instantiations 
of implicit arguments. 

Agda also supports “infinite” data through the use of coinduc- 
tion (Coquand 1994). Coinductive types can be introduced using 
suspensions: oo A is the type of suspensions, that if forced give us 
something of type A. Suspensions can be forced using ^ , and cre- 
ated using N_: 

^ : oo A — > A 

: A — > oo A 

(Here -L is a tightly binding prefix operator. In this paper nothing 
binds tighter except for ordinary function application.) 

The partiality monad is defined coinductively as follows: 

data _x (A : Set) : Set where 
now : A — > Aj_ 

later : oo (Aj_) — > Aj_ 

You can read this as the greatest fixpoint vX.A l+J X. The con- 
structor now returns a value immediately, and later postpones a 
computation. Computations can be postponed forever: 

never : Aj_ 

never = later (t never) 

Here never is defined using corecursion, in & productive way: even 
though never can unfold forever, the next constructor can always be 
computed in a finite number of steps. Note that structural recursion 
is not supported for coinductive types, as this would allow the 
definition of non-productive functions. 

The partiality monad is a monad, with now as its return opera- 
tion, and bind defined corecursively as follows: 

3*= : Aj_ — > (A — > By) — > By 
now x 3 = f = f x 
later x 3= / = later (f- x 3= /)) 

If x fails to terminate, then x 3= / also fails to terminate, and if x 
terminates with a value, then/ is applied to that value. 

It is easy to prove the monad laws up to (strong) bisimilarity, 
which is a coinductively defined relation: 


- This is not entirely correct in the current version of Agda (Altenkirch 
and Danielsson 2010), hut for the purposes of this paper the differences 
are irrelevant. 



data = : Aj_ -> Ax -» Set where 

now : now x = now x 

later : 00(^1 = 1 y) —> later x S later y 

(Note that the constructors have been overloaded.) This equivalence 
relation relates diverging computations, and it also relates compu- 
tations which converge to the same value using the same number of 
steps. 

Note that _S_ is a type of potentially infinite proof terms. 
Proving x = y amounts to constructing a term with this type. This 
proof technique is quite different from the usual coinductive proof 
technique (where x e vF for a monotone F if x e X for some 
X C F(X)), so let me show in detail how one can prove that bind 
is associative: 

associative : 

(* ■ A ± )(f : A — > By) (g : C ± ) -> 

(x g) = (r»=/ly->/y»=g) 

We can do this using corecursion and case analysis on x: 

associative (now x) f g = ? 
associative (later x)f g = ? 

We can ask Agda what types the two goals (?) have. The first 
one has type / x 3= g = f x 3= g, and can be completed by 
appeal to reflexivity (refl-= : (x : Aj_) — > x — x can be proved 
separately): 

associative (now x) f g = refl-= (f x g) 

The second goal has type later Ji = later sj for some suspensions 
sj and .s' 2 , so we can refine the goal using a later constructor and a 
suspension: 

associative (later x)f g = later (A ?) 

The new goal has type 
( b x 3 = / 3 = g) = 

so we can conclude by appeal to the coinductive hypothesis: 

associative (later x)fg = later (tt associative ( b x) f g) 

Note that the proof is productive. Agda can see this, because the 
corecursive call is guarded by a constructor and a suspension. 

Strong bisimilarity is very strict. In many cases weak bisimilar- 
ity, which ignores finite differences in the number of steps, is more 
appropriate: 3 


data 

: A ± - 

.Ax -» 

Set where 


now 



now x ™ 

now x 

later 

oo ( b X 

* b ?) 

— > later x ™ 

later y 

later 1 


~ y 

— > later x ™ 

y 

later 1 

X 

* 

— > x ™ 

later y 


This relation is defined using mixed induction and coinduction (in- 
duction nested inside coinduction, vX.pY. F X Y). Note that later 
is coinductive, while later 1 and later r are inductive. An infinite 
sequence of later constructors is allowed, for instance to prove 
never ™ never: 

allowed : never ™ never 
allowed = later (N allowed ) 

However, only a finite number of consecutive later 1 and later r 
constructors is allowed, because otherwise we could prove never ™ 
now x: 

3 Capretta (2005) defines weak bisimilarity in a different but equivalent way. 


disallowed : never ™ now x 
disallowed = later 1 disallowed 

On the other hand, because the induction is nested inside the coin- 
duction it is fine to use an infinite number of later 1 or later r con- 
structors if they are non-consecutive, with intervening later con- 
structors: 

also-allowed : never ™ never 
also-allowed = later r (later (B also-allowed)) 

If we omit the later r constructor from the definition of weak 
bisimilarity, then we get a preorder with the property that 
x > y holds if y terminates in fewer steps than x (with the same 
value), but not if x terminates in strictly fewer steps than y, or if 
one of the two computations terminates and the other does not: 


CL 

65 

& 

1 

2V 

1 

: A ± - 

> Ax -A 

Set where 


now : 



now x > 

now x 

later : 

oo ( b X 

> b ?) 

-» later x > 

later y 

later 1 : 

b x 

£ y 

— > later x > 

y 


It is easy to prove that x = y implies x > y. which in turn implies 

* « y- 

The three relations above are transitive, but one needs to be 
careful when using transitivity in corecursive proofs, because other- 
wise one can “prove” absurd things. For instance, given reft-™ : 
(x : Ax) — > x ™ x and trans -™ : x & y — > y ™ z — > x ™ z 
we can “prove” that weak bisimilarity is trivial: 

trivial : (x y : Ax) — * x ™ y 
trivial xy = 

trans-™ (later r (refl-™ x)) 

(trans-™ (later (® trivial xy)) 

(later 1 (. refl -™ y))) 

This “proof” uses the following equational reasoning steps: x ™ 
later (N x) ™ later (^ y) as y. The problem is that trivial 
is not productive: trans-™ is “too strict”. This issue is closely 
related to the problem of weak bisimulation up to weak bisimilarity 
(Sangiorgi and Milner 1992). 

Fortunately some uses of transitivity are safe. For instance, if 
we are proving a weak bisimilarity, then it is safe to make use of 
already proved greater-than results, in the following way (where 
y $ z is a synonym for z it y): 

x>y-^>y™z^>x™z 

x™y->y<z^>x™z 

(Compare Sangiorgi and Milner’s “expansion up to <”.) Agda does 
not provide a simple way to show that these lemmas are safe, but 
this could be done using sized types as implemented in MiniAgda 
(Abel 20 10). 4 With sized types one can define x ™ 1 y to stand for 
potentially incomplete proofs of x ™ y of size (at least) i, and 
prove the following lemma: 

Vi. x > y — > y ™ l z — > x ™' z 

This lemma is not “too strict”: the type tells us that the (bound on 
the) size of the incomplete definition is preserved. Unfortunately 
MiniAgda, which is a research prototype, is very awkward to use 
in larger developments. 

For more details about coinduction and corecursion in Agda, 
and further discussion of transitivity in a coinductive setting, see 
Danielsson and Altenkirch (2010). 


3 The experimental implementation of sized types in Agda does not support 
coinduction. 



3. A Functional, Operational Semantics 

This section defines an operational semantics for the untyped ,1- 
calculus with constants. Let us start by defining the syntax of the 
language. Just as Leroy and Grail (2009) I use de Bruijn indices to 
represent variables, but I use a “well-scoped” approach, using the 
type system to keep track of the free variables. Terms of type Tm n 
have at most n free variables: 

data Tm (n : N) : Set where 


con 

N 

Tm n 

— Constant. 

var 

Fin n 

Tm n 

— Variable. 

lam 

Tm (1 + n) 

* Tm n 

— Abstraction. 


Tm n — > Tm n - 

Tm n 

— Application. 


Environments and values are defined mutually: 

mutual 

Env : N —> Set 
Env n = Vec Value n 

data Value : Set where 

con : N — > Value — Constant, 

lam : Tm (I + n) —t Env n — > Value — Closure. 

Note that the body of a closure has at most one free variable which 
is not bound in the environment. 

The language supports two kinds of “effects”, partiality and 
crashes. The partiality monad is used to represent partiality, and 
the maybe monad is used to represent crashes: 

[_] : Tm n — > Env n — > ( Maybe Value) j_ 

{Maybe A has two constructors, nothing : Maybe A and just : 
A — > Maybe A.) The combined monad is the maybe monad 
transformer {AM A. M {Maybe A)) applied to the partiality monad. 
We can define a failing computation, as well as return and bind, as 
follows: 

fail : ( Maybe A)j_ 
fail = now nothing 

return : A — > ( Maybe A)x 
return x = now (just x) 

3= : (Maybe A) y — > (A — > (Maybe B)j_) — > (Maybe B)j_ 
now nothing 3= / = fail 
now (just*) »= / = f x 
later jt 3= / = later .v 3= /)) 

It should also be possible to use the reader monad transformer to 
handle the environment, but I believe that this would make the code 
harder to follow. 

With the monad in place it is easy to define the semantics using 
two mutually (co)recursive functions: 

mutual 

[_] : Tm n — > Env n — > ( Maybe Value) j_ 

[ con i ] p = return (con i) 

[ var x ] p = return (lookup x p) 

[ lam t ] p = return (lam t p) 
hi - hip = [ h 1 P =*= Avi^t 
ihi P 3= A V2~> 

V\ • V2 

: Value —> Value — > (Maybe Value) j_ 
con ( i • V 2 = fail 

lam t\ p x • v 2 = later (# ([ t { ] (v 2 :: p\))) 

Constants are returned immediately, variables are looked up in the 
environment, and abstractions are paired up with the environment 
to form a closure. The interesting case is application: t\ • r 2 is 


evaluated by first evaluating t\ to a value v\, then (if the evaluation 
of t\ terminates without a crash) r 2 to v 2 , and finally evaluating 
the application v x • v 2 . If vj is a constant, then we crash. If V] 
is a closure, then a later constructor is emitted and the closure’s 
body is evaluated in its environment extended by v 2 . The result 
contains one later constructor for every /?- redex that has been 
reduced (infinitely many in case of non-termination). 

Note that this is a call-by- value semantics, with functions eval- 
uated before arguments. Note also that the semantics is not compo- 
sitional, i.e. not defined by recursion on the structure of the term, so 
it is not a denotational semantics. (It would be if were defined 
prior to [_]; it is easy to construct a compositional semantics on 
top of this one.) 

Agda does not accept the code above; it is not obvious to 
the productivity checker that [_| and are total (productive) 
functions. If bind had been a constructor, then Agda would have 
found that the code uses a lexicographic combination of guarded 
corecursion and structural recursion: every call path from [_] to 
[_] is either 

1 . guarded by one or more constructors and at least one suspension 

(and nothing else), or 

2. guardedness is “preserved” (zero or more constructors/suspen- 

sions), and the term argument becomes strictly smaller. 

Now, bind is not a constructor, but it does preserve guardedness: 
it takes apart its first argument, but introduces a new suspension 
before forcing an old one — in MiniAgda one can show that bind 
preserves the sizes of its arguments. For a formal explanation of 
totality, see the accompanying code, 5 

The semantics could also have been defined using continuation- 
passing style, and then we could have avoided the use of bind: 

mutual 

[_J cps : Tm n — > Env n — > (Value — > (Maybe A)j_) — > 
(Maybe A)x 

l con i 1 CPS pk = k (con i) 

I var x ] cps p k = k (lookup x p) 

I lam 1 ] C PS P k = k ( |am r P) 

ih-h ] cps pk = In ] cps P (A Vi -> 

II h 1 CPS P v 2 
Or •cps v 2 ) k)) 

•pps : Value —> Value — > ( Value — > (Maybe A)j_) — > 
(Maybe A)j_ 

(con ij *cps v 2) k = fail 

(lam t { p x ^p,, v 2 ) k = later (# ([ f x ] cps (v 2 :: pi) k)) 

This definition would not have made the productivity checker any 
happier (it is productive, though, see the accompanying code). 
However, it avoids the inefficient implementation of bind; note that 
bind traverses the full prefix of later constructors before encounter- 
ing the now constructor, if any. 

Before we leave this section, let us work out a small example. 
The term (Ax.xx) (Ax.xx) can be defined as follows (writing 0 
instead of zero): 

Q : Tm 0 

Q = lam (var 0 • var 0) • lam (var 0 • var 0) 

It is easy to show that this term does not terminate: 


5 In the accompanying code [_] is defined using a data type containing 
the constructors return, _3=_, fail and later, thus ensuring guardedness. 
These constructors are interpreted in the usual way in a second pass over 
the result. This technique is explained in detail by Danielsson (2010). 



Cl-loops : [ i 2 ] [ ] <=a never 
Q -loops = later (' Q.-loops ) 

4. Type Soundness 

To illustrate how the semantics can be used, let us define a type 
system and prove type soundness. 

I follow Leroy and Grail (2009) and define recursive, simple 
types coinductively as follows: 

data Tv : Set where 
nat : Ty 

»_ : oo Ty — > oo Ty — > Ty 

Contexts can be defined as vectors of types: 

Ctxt : N — > Set 
Ctxt n = Wee Ty n 

The type system can then be defined inductively. T I— t e a means 
that t has type a in context T : 

data _l— _e_ (T : Ctxt n ) : Tin n — > TV — > Set where 
con : T I— con i e nat 
var : T h var r 6 lookup x T 
lam : ^ cr :: T I — ? e b r — > T h lam t e rr — > r 
: T h ty e a — > z — > T b (2 e ^ n — > 

T I— t[ ■ t2 e b t 

The use of negative recursive types implies that there are well- 
typed terms which do not terminate. For instance, Q is typeable 
with any type: 

kl-well-typed : (z : Ty) — > [ ] I— Q, e z 
Q.-well-typed z = [a = N a] (r = -t r) 

(lam (var • var)) (lam (var • var)) 
where 0 = t a — > $ z 

(Some implicit arguments which Agda could not infer have been 
given explicitly using the [x = ...) notation.) 

Let us now prove that well-typed programs (closed terms) do 
not go wrong. It is easy to state what should be proved: 

type-soundness : [] I— t e a — > -> ([ t ] [ ] « fail) 

Here is negation (-> A = A — > Empty , where Empty is the 
empty type). As noted by Leroy and Grail it is harder to state type 
soundness for usual big-step semantics, because such semantics do 
not distinguish between terms which go wrong and terms which 
fail to terminate. 

We can start by defining a reusable predicate transformer which 
lifts predicates on A to predicates on ( Maybe A)x ■ If Lift P x holds, 
then we know both that the computation x does not crash, and that 
if x terminates with a value, then the value satisfies P. Lift is defined 
coinductively as follows: 

data Lift (P : A —> Set) : ( Maybe A)j_ — > Set where 
now-just : Px — t Lift P (return x) 

later : 00 ( Lift P ( b x\) — > Lift P (later x) 

The proof below uses the fact that bind “preserves” Lift : 

_~»=-cong_ : Lift P x — > ({x : A) — > P x — > Lift Q (f x)) — > 
Lift Q(x 3 = /) 

Let us now define some typing predicates for values and com- 
putations, introduced mainly as part of the proof of type soundness. 
WFy a v means that the value v is well-formed with respect to the 
type a . This relation is defined inductively, mutually with a corre- 
sponding relation for environments: 


mutual 

data WF\j : Ty — > Value —> Set where 
con : WF\j nat (con i) 
lam : b o :: T I- t e b z -* WF E T p -» 

WFsj (o —o z) (lam t p) 

data WF e : Ctxt n — > Env n — > Set where 

[] : WE e [] [] 

: WFsj a v WF E T p — > WF E (0 :: T) (v :: p) 

The most interesting case above is that for closures. A closure 
lam t p is well-formed with respect to a — » r if there is a context T 
such that T I— lam t e 0 —> z and p is well-formed with respect to 
T. The predicates are related by the following unsurprising lemma: 

lookup w f : ( x : Fin n) — > WF E T p — > 

WF\ ( lookup x T) ( lookup x p) 

We can use the predicate transformer introduced above to lift 
WFv to computations: 

WF _ |_ : Ty — > ( Maybe Value) j_ — > Set 
WFy o x = Lift ( WFy o ) x 

Non-terminating computations are well-formed, and terminating 
computations are well-formed if they are successful (not nothing) 
and the value is well-formed. The following lemma implies that 
type soundness can be established by showing that [ t ] [ ] is well- 
formed: 

does-not-go-wrong : WFy 0 x — > -> (x fail) 
does-not-go-wrong (now-just ) () 
does-not-go-wrong (later wf) (later 1 eq) = 
does-not-go-wrong C wf) eq 

Recall that negation is a function into the empty type. The lemma 
is proved by structural recursion: induction on the structure of 
the proof of x « fail. The first clause contains an “absurd pat- 
tern”, (), to indicate that there is no constructor application of type 
return v & fail. 

We can now prove the main lemma, which states that the 
computations resulting from evaluating well-typed terms in well- 
formed environments are well-formed. This lemma uses the same 
form of nested corecursion/structural recursion as the definition of 
the semantics: 

mutual 

Uwf : T I— t e cr -> WF E T p -> WFya(\t\p) 
Ilwf con Pw f = now-just con 

Owf ( var {* = 4 ) Pwf = now-just (lookup^ x p wf ) 

iwf ( |am ? e) Pwf = now-just (lam t G p wf ) 

Owf L ■ he) Pwf = 

Owf ^le Pwf »=-cong ). / w f > 

Owf r 2e Pwf cong X v wf -> 

•wf/wf Vwf 

•wf : WFy (a -O z) f -t WFy ( b a) v -t 
WFy ( b r) (f • v) 

•wf ( lam he P I wf) v 2wf = 

later Owf f le (V2wf :: Pi wf)) 

The implicit variable pattern [x = .y) is used to bind the variable 
y, which is used on the right-hand side. 

Finally we can conclude: 

type-soundness : [] I —tea — » _, (|[f][] Ri fail) 
type-soundness t G = does-not-go-wrong ([] wf te [ ]) 

Note that there is only one case for application in the proof above 
(plus one sub-case in » w f)- 



The proof of type soundness is formulated for a functional se- 
mantics defined using environments and closures, whereas Leroy 
and Grail (2009) prove type soundness for relational semantics de- 
fined using substitutions. I have chosen to use environments and 
closures in this paper to avoid distracting details related to substi- 
tutions. However, given an implementation of the operation which 
substitutes a term for variable zero it is easy to define a substitution- 
based functional semantics using the partiality monad, and given a 
proof showing that this operation preserves types it is easy to adapt 
the proof above to this semantics. See the accompanying code for 
details. 

The proof above can be compared to a typical type sound- 
ness proof formulated for a relational, substitution-based small- 
step semantics. Such a proof often amounts to proving progress 
and preservation: 

progress : [ ] h- t e a — > Value t l±l 3 X / — > t / 

preservation : [ ] I —tea — > fW [] ht' so- 

Here Value t means that t is a value, is the small-step relation, 
and 3 X / — > ... can be read as “there exists a / such that. . . ”, 
Given these two lemmas one can prove type soundness using classi- 
cal reasoning (Leroy and Grail 2009): 

type-soundness : [ ] I— t e a — > 

t ~>°° l+J 3 X t 1 — > t f x Value f 

Here is the reflexive transitive closure of t 

means that t can reduce forever, and _x_ can be read as “and”. 
(Note that this statement of type soundness is inappropriate for 
non-deterministic languages, as it does not rule out the possibility 
of crashes.) The lemma |] w f above can be seen as encompassing 
both progress and preservation, plus the combination of these two 
lemmas into type soundness. This combination does not need to 
involve classical reasoning, because WFj_ is defined coinductively. 

5. The Semantics are Classically Equivalent 

Let us now prove that the semantics given in Section 3 is classically 
equivalent to a relational semantics. 

The semantics given in Figures 1-2 can be adapted to a setting 
with well-scoped terms and de Bruijn indices in the following way: 

data _l— _Jj_ ( p : Env n) : Tin n — > Value — > Set where 
con : p \- con Jj con i 
var : p \- var x Jj lookup x p 
lam : p \- lam t Jj. lam t p 
app : p I— t\ Jj lam t' p’ — > p I— t 2 Jj v 7 — > 

V :: p' \- t' Jj v p \- tx ■ t 2 Jj v 

data _l — "fj (p : Env n) : Tin n — > Set where 

app 1 : oo (p t x ft) p \~ ti ■ t 2 ft 

app r : pi — Jj v oo(pb t 2 fj) -> p I- ft ■ t 2 ft 

app : p I— t\ Jj lam / p' — > p I— t 2 Jj V — > 

oo (V :: p’ \- t! ft) -> p \- t x ■ t 2 jj 

_l— _i : Env n — > Tm n — > Set 
p \~t i = -> (3 X v p \- t Jj v) x (p t fj) 

Note that _l — — Jj_ is defined inductively and _l — "|T coinductively. 

How should we state the equivalence of _l — Jj_/_l — _fT/ I — ^ 

and [[_]]? The following may seem like a suitable statement: 

pi — r Jj v <=> [ f ] p « return v 

pi— i ft <=> [j r ]] p «s never 

p I— t i <=> | f ] p as fail 

However, in a constructive setting one cannot prove that [tip as 
never implies p I— t fj. To see why, let us try. Assume that we 

have a proof p of type [ t\ ■ t 2 ] p as never. Now we need to 


construct a proof starting with either app 1 , app 1 or app. In order 
to do this we need to know whether t\ terminates or not, but this is 
not decidable given only the proof p. It also seems unlikely that we 
can prove that p \- t h implies [tip as fail : one might imagine 
that this can be proved by just executing [ t ] p until it terminates 
and then performing a case analysis, but the fact that t does not fail 
to terminate is not (obviously) enough to convince Agda that it does 
terminate. 

We can avoid these issues by assuming the following form of 
excluded middle, which states that everything (in Set) is decidable: 


EM : Set i 

EM = (A : Set) — > A l±l - A 


We end up with the following six 

P I- t Jj v 
P 1“ t fj 

[ f ] p return v 
EM — > [ t ] p *s never 
EM p h t i 


proof obligations: 


[[ t ] p return v 

(1) 

[ t ] p never 

(2) 

p 1- t Jj V 

(3) 

p hrfT 

(4) 

II 1 1 p » fail 

(5) 

p 1 i 

(6) 


1 1 ] p « fail 

The last two follow easily from the previous ones, so let us focus 
on the first four: 


1. Given p : p I — ? Jj v it is easy to prove [ t ] p return r’ by 
recursion on the structure of p. 

The only interesting case is application. Let us introduce the 
following abbreviation: 

x\ [[•] x 2 = JTj 3= 2 v\ — > x 2 3= X v 2 — > V\ • v 2 

We can then proceed as follows (using the same names as in the 
app constructor's type signature): 

ih ■ til p - 

Ini/) H [ h ] p ^ 

return (lam f p') [[•] return V > 

I S ] W ■■■■ p r ) 

return v 


The inductive hypothesis is used twice in the second step and 
once in the last one. 

2. One can prove that p I— t fj implies [ t ] p % never using 
corecursion plus an inner recursion on the structure of t. 

In the case of the app constructor we can proceed as follows: 

lh ■ til P — 

I h ] P H I h ] p > 

return (lam / p r ) [[•] return V = 

later (Hit'] (v' :: p’)) ** 

never 


The second step uses (1) twice, once forpi : p I— t\ Jj lam / p' 
and once for p 2 : p I— t 2 Jj v' , plus the fact that x now i' 
implies that x > now v. The last step uses the coinductive hy- 
pothesis (under a guard) for p 2 : v' :: p' V- t' fj. 

The app 1 case is different: 

II h ■ t 2 1 p = 

[ h 1 P H I h ] P « 
never [■] 1 1 2 ] p S 
never 


The last step uses the fact that never is a left zero of bind. The 
second step uses the inductive hypothesis for p : pi — ?i fT; 
note that t\ is structurally smaller than t\ ■ t 2 , and that this call 
is not guarded. 



The app r case is similar to the app 1 one, and omitted. 

Note that the use of transitivity in this proof is safe, as discussed 
in Section 2. 

3. Given p : [ f ] p % return v one can observe that p cannot 
contain the constructors later or later/ it must have the form 
later 1 (. . . (later 1 now) . . .), with a finite number of later 1 
constructors — one for every ^-reduction in the computation of 
[ t ] p. Let the size of p be this number. One can prove that 
[ t ] p return v implies p I — t f) v by complete induction 
on this size. 

Only the application case is interesting. We can prove the fol- 
lowing inversion lemma: 

(. x 3= /) return v — > 

3 A v' — t ( x return V) x (f v 1 return v) 

Here the size of the left-hand proof is equal to the sum of the 
sizes of the two right-hand proofs. If we have [ H ' f 2 ] P 
return v, then we can use inversion twice plus case analysis 
to deduce that [ t\ J p % return (lam t' p') and [ 1 P ^ 

return V for some /, p' , V such that [ t' ] (V :: p') return v. 
We can finish by applying app to three instances of the induc- 
tive hypothesis, after making sure that the proofs are small 
enough. 

This proof is a bit awkward when written out in detail, due to 
the use of sizes. 

4. Finally we should prove that excluded middle and [ t ] p 
never imply p I— t ft. This can be proved using corecursion. 

As before the only interesting case is application. We can prove 
the following inversion lemma by using excluded middle: 

(. x 3= /) never — » 
x « never l±J 

3 A v —> (x return v) x (f v never ) 

If x 3= / does not terminate, then either x fails to terminate, 
or x terminates with a value v and/ v does not terminate. Given 
a proof of \t\ • f 2 J p never we can use inversion twice to 
determine which of app 1 , app r and app to emit, in each case 
continuing corecursively (and in the latter two cases also using 
(3)). 

6. Virtual Machine 

This section defines a virtual machine (VM), following Leroy and 
Grail (2009) but defining the semantics functionally instead of 
relationally, and using a well-scoped approach. (The accompanying 
code contains a relational semantics and a proof showing that it is 
equivalent to the functional one.) 

The VM is stack-based, and uses the following instructions: 

mutual 

data Instr ( n : N) : Set where 


var 

Fin n 

-» Instr n 

— Push variable. 

con 

N 

-» Instr n 

— Push constant. 

clo 

Code (1 + n) - 

-» Instr n 

— Push closure. 

app 


Instr n 

— Apply function. 

ret 

Code : 

N — > Set 

Instr n 

— Return. 


Code n = List (Instr n) 

Instructions of type Instr n have at most n free variables. The type 
family Code consists of sequences of instructions. 

Values and environments (VM-Value and VM-Env) are defined 
as in Section 3, but using Code instead of Tin in the definition of 
closures. Stacks contain values and return frames: 


data Stack-element : Set where 

val : VM-Value — > Stack-element 

ret : Code n — > VM-Env n — > Stack-element 

Stack : Set 

Stack = List Stack-element 

The VM operates on states containing three components, the 
code, a stack, and an environment: 

data State : Set where 

: Code n —> Stack — > VM-Env n — > State 

The result of running the VM one step, starting in a given state, is 
either a new state, normal termination with a value, or abnormal 
termination (a crash): 

data Result : Set where 

continue : State — t Result 

done : VM-Value — > Result 

crash : Result 

The function step (see Figure 3) shows how the result is computed. 

Given step it is easy to define the VM’s semantics corecursively: 

exec : State — > (Maybe VM-Value) j_ 
exec s with step s 

... | continue / = later (N exec s') 

... | done v = return v 

... | crash = fail 

In a state j-, run step s. If the result is continue s', continue running 
from s'; if it is done v, return v; and if it is crash, fail. 

The function exec is an example of a functional, small-step 
operational semantics. As before it is clear that the semantics is 
deterministic and computable, and just as with a relational small- 
step semantics we avoid duplication of rules. However, the use of a 
wild-card in the last clause of step means that it is possible to forget 
a rule. If we tried to omit one of the clauses from the definition of 
[_] (Section 3), then the definition would be rejected, but this is not 
the case for the first six clauses of step. 

7. Compiler Correctness 

Let us now define a compiler front Tm to Code and prove that 
it preserves the semantics of the input program. The definition 
follows Leroy and Grail (2009), but uses a code continuation to 
avoid the use of list append and some proof overhead (Hutton 2007, 
Section 13.7): 

comp : Tm n —> Code n — > Code n 

comp (con i) c = con i :: c 

comply ar x) c = var.r::c 

comp (lam t) c = clo (comp t [ret]) :: c 

comp (tj • ? 2 ) c = comp t\ (comp tj (app :: c)) 

We can also “compile” values: 

comp v : Value —> VM-Value 
comp v (con i) = con i 

comp v (lam t p) = lam (comp t [ret]) ( map comp v p) 

I state compiler correctness as follows: 

correct : (t : Tm 0) — > 

exec ( comp t [],[],[] > ~ 

( [[ t ] [ ] 3= A v —> return (compy v)) 

Given a closed term t, the result of running the corresponding 
compiled code (comp t [ ]) on the VM (starting with an empty stack 
and environment), should be the same as evaluating the term (in 



step : State 
step ( [ ] 

— > Result 
, val v : 

[] 

,[] > 

= done v 



step ( var x 

: c, 


s,P ) 

= continue ( c , val (lookup x p) 

: s , 

p 

step (con i 

■ c, 


S,p ) 

= continue ( c , val (con i) 

: s , 


step ( clo c' 

: c. 


S,P ) 

= continue ( c , val (lam c' p) 

: s , 


step ( app 

: c, val v : 

val (lam d p') 

:s,p) 

= continue ( d , ret c p 

: s, v 

■ p 

step ( ret 
step _ 

: c, val v : 

ret c' p' 

:s,p) 

= continue ( d, val v 
= crash 

: s , 

p 


Figure 3. A function which computes the result of running the virtual machine one step from a given state. 


an empty environment) and, if evaluation terminates with a value, 
return the “compiled” variant of this value. 

We can compare this statement to a corresponding statement 
phrased for relational semantics: 

([] I - t || v <=> ( comp f [],[],[]) ~>* 

( [], val (comp v v) ::[],[]» x 
(m-ftt <=> (comp t [],[], []>~»°°) x 
([] I ~ti <=> { comp t [],[],[]> 

Here : State — » State — > Set is the VM's small-step relation, 
its reflexive transitive closure, s -v^ 00 means that there is an 
infinite transition sequence starting in s, and s means that there 
is a “stuck” transition sequence starting in s (i.e., a sequence which 
cannot be extended further, and which does not end with a state of 
the form ( [], val _ [], [] )). I prefer the statement of correct 

above: I find it easier to understand and get correct. 

Let us now prove correct. In order to do this the statement can 
be generalised as follows: 

correct 1 : 

( t : Tm n) { k : Value — > ( Maybe VM-Value ) jJ 
( hyp : (v : Value) — > 

exec ( c, val ( comp v v) :: s, map comp v p ) ss k v) — > 
exec { comp t c, s, map comp v p ) ([ t ] p 3= k) 

This statement is written in continuation-passing style to avoid 
some uses of transitivity (which can be problematic, as discussed 
in Section 2). The statement is proved mutually with the following 
one: 

• -correct : 

(iq v 2 : Value) (fc : Value — > (Maybe VM-Value) j_} 

(hyp : (v : Value) — > 

exec ( c, val (comp v v) :: s, map comp v p ) « k v) — > 
exec ( app :: c, val (comp v t’ 2 ) :: val (comp v iq) :: s, 
map comp v p ) 

% (iq • v 2 3= k) 

The statements can be proved using the same recursion structure as 
Ucps^’cps- m i xe d corecursion/structural recursion. 

The interesting case of correct' is application, where we can 
proceed as follows (with safe uses of transitivity): 

exec ( comp q (comp f 2 (app :: c)), s, map comp v p ) 

I H ] P 3 *= A vi -> I f 2 j p 3= 2 v 2 iq • v 2 3= k = 

I h ] p »= X vi -> ([ f 2 ] p 3 = A v 2 -> vi • v 2 ) 3= k = 

([ h 1 P lt 2 \p 3= lv 2 -> iq • v 2 ) 3 = k = 

lh-h\p »= k 

The last three steps use associativity of bind twice. (These uses 
of associativity could have been avoided by using continuation- 
passing style instead of bind when defining the semantics. See the 
accompanying code.) The first step is more complicated. Here is its 
proof term: 


correct 1 t\ (A iq — > correct 1 f 2 (A v 2 — > •-correct vq v 2 hyp)) 

First an appeal to the inductive hypothesis (fj is structurally smaller 
than t\ ■ f 2 ), then, in the continuation, another appeal to the in- 
ductive hypothesis, and finally, in the nested continuation, a use 
of •-correct. 

The interesting case of •-correct is when iq is a closure, 
lam t\ p\ , in which case we need to prove that 

exec ( app :: c, val (comp v iq) :: val (comp v (lam q /q)) :: s, 
map compy p ) 

is weakly bisimilar to 

lam t\ pi • v 2 3 = k. 

We can start by emitting a later constructor and suspension: 
later (# ?) 

The question mark should be replaced by a proof showing that 

exec ( comp t\ [ret], ret c (map comp v p) :: s, 
map compy (v 2 :: pi) ) 

is weakly bisimilar to 

II h ] (v 2 :: pi) 3= k. 

This can be proved by appeal to the coinductive hypothesis: 

correct ' q (Iv-t later 1 (hyp v)) 

Here the use of later 1 corresponds to the reduction of 

exec ( [ret], val (comp v v ) :: ret c (map comp v p) :: s, 
map compy (v 2 :: p\) ) 

to 

exec ( c, val (comp v v) :: s, map comp v p ), 

which has the right form for the use of hyp. 

The proof sketch above — and especially the compact proof 
terms — may look a bit bewildering. Fortunately one does not have 
to understand every detail of a machine-checked proof. It is more 
important to understand the statement of the theorem. 6 Further- 
more, the writer of the proof has the support of a proof assistant, 
that in my case provided much help with the construction of the 
proof terms. 

The proof above can be compared to that of Leroy and Grail 
(2009), who prove the following two implications (in their slightly 
different setting): 

[ ] I- t U v -> ( comp t [],[],[]) 

( [], val (compy v) ::[],[]> 
f] l-f ft -> ( comp t [],[],[] )-3°° 


6 With the caveat that one should not put too much trust into Agda, which 
is a very experimental system. 



Consider application. In the proof above there is one case for ap- 
plication, with two sub-cases, one for crashes and one for closures. 
In the proof of the two implications there are four cases for ap- 
plication: one in case of termination and three for non-terminating 
applications. The rule duplication in the semantics shows up as rule 
duplication in the proof. 

8. Non-determinism 

The compiler correctness statement used above is sometimes too 
restrictive (Leroy 2009). For instance, evaluation order may be 
left up to the compiler. This section illustrates how this kind of 
situation can be handled by defining a non-deterministic language, 
and implementing a compiler that implements one out of many 
possible semantics for this language. 

The syntax of the language defined in Section 3 is extended with 
a term-former for non-deterministic choice: 

_|_ : Tm n — > Tin n —> Tm n 

The semantic domain is now the maybe monad transformer applied 
to the partiality monad transformer (AM A. vX. M (A l+J X) for 
strictly positive monads M) applied to a non-determinism monad 
(AA. fiX. A l+l X x X\ Moggi (1990)), implemented monolithi- 
cally as follows: 


data D (A 

: Set) : Set where 

fail 


DA 

return 

A 

^ DA 

-1- 

DA^DA- 

^ DA 

later 

oo (DA) 

^ DA 


3= : (A — > D fi) — > D fi 

fail / = fail 

return x 3= / = f x 

( xi I x 2 ) 3= / = ( xi 3= /) | (x 2 3= /) 

later x 3= / = later (f x 3= /)) 

As before the monad laws hold up to strong bisimilarity, which can 
be defined as follows: 

data _=_ : D A —> D A — > Set where 


fail 



fail 

= fail 

return 



return x 

= return x 

-1- 

xi = yi 

*2 - T2 - 

* Xl | X'2 

- yi 1 yi 

later 

OO X = 

b v) 

-> later x 

= later y 


Finally we can extend the semantics by adding a clause for choice 
(note that _|_ is overloaded): 

II h I h 1 P = I h 1 P I II h ] P 

It may be worth pointing out that now the semantics is no longer 
deterministic, despite being defined as a function. 

As an example we can define a call-by-value fixpoint combi- 
nator (Z = Af. ( Ag.f (Ax. g g x)) (Ag.f (Ax. g g x))) and a non- 
deterministic non-terminating term (t = Z (Af x. f x\f x) 0): 

Z : Tm 0 
Z = lam (h ■ h) 

where h = lam (var 1 • lam (var 1 ■ var 1 • var 0)) 
t : Tm 0 

t = Z • lam (lam (var 1 • var 0 | var 1 • var 0)) • con 0 
The semantics of t, [ t ] [ ], is strongly bisimilar to t-sem: 
t-sem : D Value 

t-sem = later (N later later (H later (8 (t-sem | t-sem))))) 

The virtual machine is unchanged, so the compiler correctness 
statement will relate deterministic and non-deterministic computa- 


tions. To do this we can use the following variant of weak bisimi- 
larity: 

data ~ e : (Maybe A ) —> D A —> Set where 
fail : now nothing fail 

return : now (just x) return x 

I 1 : x « G vi x « G yi | y 2 

I 1 ' ; x « G y 2 y\ I T2 

later : oo (^ x « G ^ y) — > later x « G later y 

later 1 : ^ x « G y — > later x w G y 

later r : x « G ^ y — t x w G later y 

You can read x « G y as “x implements one of the allowed seman- 

tics of y”. 

Compiler correctness can now be stated as follows: 

correct : (t : Tm 0) — » 

exec ( comp / [],[],[]) « G 

[ t ] [] 3= iv-> return (comp y v) 

If we extend the compiler in the following way, then we can prove 
that it is correct using an argument which is very similar to that in 
Section 7: 

comp (tj | tf) c = comp fj c 

We can also prove type soundness for the non-deterministic 
language, using the type system from Section 4 extended with the 
following rule: 

_|_ : F t[ e o —> r t 2 £ c — > r I- f! | f 2 e <r 

Type soundness can be stated using _« G _. Type-correct terms 
should not crash, no matter how the non-determinism is resolved: 

type-soundness : [ ] I —tea — > 

—> (now nothing ^ G [?]][]) 

It is easy to prove this statement by adapting the proof front Sec- 
tion 4. All it takes is to extend the Lift type with the constructor 

_|_ : Lift P x — > Lift P y — > Lift P (x | y), 

and then propagating this change through the rest of the proof. 
Note that the new definition of Lift uses induction nested inside 
coinduction (as do D and _« G _). 

9. Term Equivalences 

Let us now return to the deterministic language from Section 3. 
Weak bisimilarity as defined in Section 2 is, despite its name, a very 
strong notion of equality for the semantic domain (Maybe Value) y. 
We can lift this equality to closed terms in the following way: 

_=_ : Tm 0 — > Tm 0 — > Set 
h = h = [ h ] [] [ t 2 ]] [] 

This is a very syntactic equality, which distinguishes the obser- 
vationally equivalent terms t\ = lam (lam (var 0)) • con 0 and 
t 2 = lam (var 0), because 

[fill! 

return (lam (var 0) (con 0 :: [])) ^ 
return (lam (var 0) []) 

[fc] 

The relational big-step semantics from Section 5 is no different: 
[ ] I — t\ JJ. v does not imply that we have [ ] I— t 2 JJ. v. 

This section defines some less syntactical term equivalences. 
Discussion of the finer points of these equivalences is out of scope 
for this paper; the main point is that they can be defined without too 
much fuss. 



Let us start by defining a notion of applicative bisimilarity 
(Abramsky 1990). Computations are equivalent if they 

are weakly bisimilar, with equivalent (rather than equal) possi- 
bly exceptional values; possibly exceptional values are equivalent 
if they are of the same kind and, in the case of success, 
contain equivalent values; and values are equivalent (_«y_) if they 
are either equal constants, or closures which are equivalent when 
evaluated with the free variables bound to an arbitrary value: 7 

mutual 

data : 

{Maybe Value) j_ — > {Maybe Value) ± — > Set where 
now : it ^mv v — > now u «*j_ now v 

later : oo C x «*j_ ^ y) — > later x later y 

later 1 : ^ x «j_ y — > later x y 

later 1 : x «*j_ ^ y — > x later y 

data _^MV- : Maybe Value — > Maybe Value — > Set where 
just : u «v v — > just u ®^MV j us1: v 

nothing : nothing =^mv nothing 

data _-”Y_ : Value -> Value — > Set where 
con : con i say con < 

lam : (V v -t oo ([ t x ] (v :: pi) [ t 2 1 (v :: p 2 ))) 
lam t\ p\ «sy lam t 2 P 2 

This is yet again a definition which uses induction nested inside 
coinduction. Note that the lam constructor is coinductive. If this 
constructor were inductive, then the relations would not be reflex- 
ive: lam (var zero) [ ] would be provably distinct from itself. 

Using the relations above we can define applicative bisimilarity 
by stating that terms are equivalent if they are equivalent when 
evaluated in an arbitrary context: 

: Tm n — > Tm n — > Set 
h «*t = V p [ t\ ] p «j_ I *2 1 P 

The definition of j_- is very similar to the definition of weak 
bisimilarity in Section 2. It is possible to define a single notion of 
weak bisimilarity, parametrised by a relation to use for values. The 
accompanying code uses such a definition. 

Let us now turn to contextual equivalence. Contexts with zero 
or more holes can be defined as follows: 

data Context {in : N) : N — > Set where 


hole : 


Context in m 

con : N 

- 

Context in n 

var : Fin n 

- 

X Context in n 

lam : Context m (1 + it) 

X Context in n 

: Context m n - 

Context m n - 

■> Context m n 


The type Context m n contains contexts whose holes expect terms 
of type Tin m. If we fill the holes, then we get a term of type Tm n: 

_[_] : Context m n — > Tm m — > Tm n 

hole [r] = t 

con i [r] = con i 

varx [f] = var x 

lam C [r] = lam (C [f]) 

(C] ■ C 2 ) [f] = C, [ t ] ■ C 2 M 

Contextual equivalence can be defined in two equivalent ways. 
The usual one states that t\ and t 2 are contextually equivalent if 
C [t\ ] terminates iff C [t 2 ] terminates, for any closing context C: 

_(j. : A ± -» Set 
x j). = 3 2 i' — > x « now v 

7 V v — > ... means the same as (v : _) — > . . .; Agda tries to infer the value 
of the underscore automatically. 


: Tm n — > Tm n — > Set 

h t 2 = VC -> [C[f!]] [] a. <=> [ C [f 2 ] ] [] jj. 

However, we can also define contextual equivalence using weak 
bisimilarity: 

: Tm n — > Tm n — > Set 

h t 2 = vc -» [ctniH] «° [ c [f 2 ] ] [] 

Here _r^°_ is a notion of weak bisimilarity which identifies all 
terminating computations: 

now : now u now i' 

It is easy to prove that these two notions of contextual equivalence 
are equivalent. 

As an aside one can note that the contextual equivalences above 
are a bit strange, because there is no context which distinguishes 
con 0 from con 1. This could be fixed by extending the language 
with suitable constructions for observing the difference between 
distinct constants. 

10. Conclusions 

When writing down a semantics I think one of the main priorities 
should be to make it easy to understand. Sometimes a more com- 
plicated definition may be more convenient for certain tasks, but 
in that case one can define two semantics and prove that they are 
equivalent. 

I hope I have convinced you that functional operational seman- 
tics defined using the partiality monad are easy to understand. I 
have also used two such semantics to state a compiler correctness 
result, and I find this statement to be easier to understand than a cor- 
responding statement phrased using relational semantics (see Sec- 
tion 7). 

The semantics also seem to be useful when it comes to proving 
typical meta-theoretic properties, at least for the simple languages 
discussed in this paper. I have proved type soundness and com- 
piler correctness directly for the semantics given above. The type 
soundness proof in Section 4 is given in relatively complete, formal 
detail, yet it is short and should be easy to follow. Furthermore, as 
mentioned in Section 7, the compiler correctness proof avoids some 
duplication which is present in a corresponding proof for relational 
semantics. 

As discussed above the support for total corecursion in lan- 
guages like Agda and Coq is somewhat limited: definitions like 
[_] are often rejected. However, my experience with sized types 
in MiniAgda (see Section 2) is encouraging. 1 suspect that a more 
polished implementation of sized types could be quite satisfying to 
work with. 

Finally I want to mention a drawback of this kind of semantics: 
proofs which proceed by induction on the structure of 
when a relational big-step semantics is used can become somewhat 
awkward when transferred to this setting, as illustrated by the proof 
in Section 5 showing that [ t ] p return v implies p I— t jj. v. 
However, it is unclear to me how often this is actually a problem. 
For instance, neither the type soundness proofs nor the compiler 
correctness proofs in this paper are affected by this drawback. 
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